1. Technical Field
The present invention relates generally to managing a trusted computing base in an enterprise computing environment wherein individual users execute programs written in untrusted code (e.g., Java) that invoke security-sensitive decisions or actions.
2. Description of the Related Art
Java, originally developed by Sun Microsystems, is an object-oriented, multi-threaded, portable, platform-independent, secure programming environment used to develop, test and maintain software programs. Java programs have found extensive use on the World Wide Web, which is the Internet's multimedia information retrieval system. These programs include full-featured interactive, standalone applications, as well as smaller programs, known as applets, that run in a Java-enabled Web browser or applet viewer.
Initially, programs written in Java found widespread use in Internet applications. As a result of this browser-centric focus, security concerns raised by Java primarily involved the security of the Java sandbox and the origin of the executable code (namely, the class). More recently, however, Java is beginning to move out of the browser and into widespread use in enterprise environments. This migration, however, has created new security concerns.
Browsers and Java were originally developed with a single user isolated from the rest of the world view. This isolated view, however, creates potential security problems in the context of an enterprise environment running a trusted computing base. This is because Java users can now make decisions about the appropriateness of running applets and applications that wish to modify local resources. Thus, for example, consider an applet that desires to run with privileges outside the Java sandbox. Normally, the applet must be signed. If that signature fails verification (indicating that either the applet source file has become corrupted, or that deliberate tampering has occurred), the browser user may simply ignore the failure to verify. As a result, the applet would run as untrusted and the enterprise would not know about the corruption or the potential attack. Another example would be a user running an applet that attempts to add or modify a certificate or key in a certificate database within the trusted computing installation.
It would be desirable to be able to provide the trusted computing base with a notification in the event that a user running untrusted code undertakes a security-sensitive decision or operation.